Improving Cybersecurity in Healthcare

Education is key to improving cybersecurity in healthcare.

Our healthcare system has changed dramatically in the past decade, but it has grown too fast for its own good.

The changes have led to a slew of new discoveries in medicine and have streamlined portions of the medical process, but it hasn’t been enough to keep up with the times.

Electronic Health Records (EHR) became mandatory with the introduction of the Affordable Care Act in 2010, but still remain extremely vulnerable. Just like anything else digital, the private lives and medical records of patients around the world are prime targets for cybercriminals.

Hospitals, family practice facilities, government healthcare programs, and more can be exposed to malware and hackers. Many EHR companies and healthcare facilities must evolve in order to stay ahead of growing cyber threats.

Within the past two years, healthcare schools and facilities have invested countless hours and training into promoting cybersecurity in healthcare. There has even been a new field introduced to the medical world: the clinical systems manager, or healthcare IT professional.

Despite the efforts, many hospitals and facilities are still posing numerous risks to hackers every day. How can they improve their practice and make their patient’s records safer? How can cybersecurity in healthcare evolve to stay ahead?

Identifying the Skills Gap

One of the biggest concerns among healthcare IT professionals is the lack of trained individuals entering the industry. There is a major cybersecurity personnel shortage happening, and many hospitals are not able to find clinical systems managers with extensive experience.

Additionally, everyday nurses and doctors do not have the experience needed to know when they’re posing a risk, and some facilities lack qualified IT professionals entirely. The structure for security and training isn’t available to most healthcare practices.

ISACA’s State of Cyber Security 2017 looked at the widening skills gap for cybersecurity experts across all fields, not just healthcare. The study particularly focused on managers and individuals whose roles utilized some cybersecurity experience.

“Only 59 percent of surveyed organizations [across all relevant fields] say they receive at least five applications for each cyber security opening, and only 13 percent receive 20 or more. In contrast, studies show most corporate job openings result in 60 to 250 applicants.”

Equally disheartening, 37 percent of respondents to the ISACA survey stated that only one in four applicants were fully qualified for the position.

For a quarter of the companies that reported to the survey, filling a priority position within their cybersecurity department can take upwards of six months: time that leaves them exposed to threats and security risks.

There is no doubt that the need for more professional cybersecurity experts will increase dramatically over the next decade, but it appears that the skills gap will continue to widen, not diminish, in the future.

Healthcare is a field struggling to draw in qualified professionals. However, some schools are stepping up to meet this demand by training nurses and doctors on basic online security protections.

Both EHRs and CPOEs help physicians and nurses provide better and more accurate care to their patients, but are still not heavily used in the medical field because many private practices are unwilling to transition to this new format.

Although nurses are not particularly trained in all the nuances of cybersecurity in healthcare, they can still help prevent breaches from happening and will need to understand the importance of not being careless with their devices.

This risk-management approach—providing education to all members of an organization to help better emphasize the importance of staying secure—might be the best option for addressing the rising skills gaps within the industry.

“The statement that cybersecurity is everyone’s problem really holds true,” said ISACA Senior Manager of Information Security Frank Downs. “There needs to be a baseline understanding and a baseline training specifically among other industries.”

It must be a group effort between employees at all levels within an organization as well, he shared.

For example, healthcare providers should ensure that nurses or clinicians do not leave screens open when they leave a room. Patients could inadvertently have access to other patients’ personal health information, and see data that should remain private.

Additional Measures

Outside of training nurses and doctors in the field, there is still an overwhelming lack of qualified cybersecurity professionals to help combat online threats. Hospitals and private practices only have so many resources, and can’t always hire high-value specialists to help protect their data.

To more accurately address the skills gap, some researchers are suggesting promoting cross-training to those that are in a related field, such as IT or networking.

Putting money into their education and certification is a worthy investment, and many of them can be fully qualified within a year. For those facilities that don’t have IT professionals, outsourcing is also another potential avenue to help maintain security.

Hospitals and organizations that specialize in online security are also starting to create cyber exercises.

“Organizations will increase the use of external consultants to ensure objective security and risk assessments, penetration testing, and red team efforts to better understand potential weaknesses in the enterprise before the cyber criminals find them and critically review contingency plans,” shared Mac McMillan, Co-founder and CEO of CynergisTek, Inc.

When these plans are implemented across the organization, they can help all individuals—not just IT—prepare and manage against potential risks.

As healthcare and cyber threats continue to evolve, the industry will find that the best method of adapting to these threats is through education. This includes educating the next generation of nurses as well as the current generation, and continuing that education throughout a person’s career.

Simply outsourcing IT professionals is not a viable option; the current workforce must be educated and trained to meet the high demand for cybersecurity in healthcare personnel, and to tackle the challenges of an ever-changing healthcare and technological system.

Katie McBeth is a researcher and writer out of Boise, ID, with experience in marketing for small businesses and management. Her favorite subject of study is millennials, and she has been featured on Fortune Magazine and the Quiet Revolution. You can follow her writing adventures on Instagram or Twitter: @ktmcbeth.